CVE-2026-45372

Advisory lineage Upstream: 0 Downstream: 1
Undergoing Analysis
Published: 29 May 2026, 19:21
Last modified:29 May 2026, 19:21

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.9 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 May 2026, 19:21
Published
Vulnerability first disclosed

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

CVSS Metrics

  • v3.1CRITICALScore: 9.9CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Techniques & Countermeasures

  • CWE-93Improper Neutralization of CRLF Sequences ('CRLF Injection')

    The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

  • CWE-444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

    The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Affected Systems

  • yhirosecpp-httplib

    < 0.44.0

References (1)